encryption

A pinch of salt – Encrypt WAL-G PostgreSQL backups

TheDatabaseMe
19. February 202319. February 2023

WAL-G is a widely known backup software for Postgres databases. One of it’s features is to backup to S3 storage out of the box. Also it’s capable to encrypt those backups and WAL archives with several encryption methods (e.g. libsodium). Since WAL-G is implemented within the Zalanndo Spilo image and therefore deployed by default with the Zalando Postgres Operator on Kubernetes, I had a deeper look on how to get encrypted backups implemented there, cause this is not documented well.

Let’s keep this our secret – Transparent Git encryption using git-crypt

TheDatabaseMe
13. April 202213. April 2022
2 Comments

Storing sensitive or secret information within a Git repository is never a good idea, at least as long as you do it unencrypted. Whoever has access to the Git repository, can view and change this sensitive data. Storing encrypted data within a Git repo has also the downside, that you need to decrypt it while you want to work with the data and you have to remember to reencrypt it, before pushing it back again. Here comes git-crypt into play. Git-crypt gives you a transparent method to de- and encrypt data during pulling and pushing from or to your Git repository.

Alles sicher – Kubernetes Secrets verschlüsselt speichern mit “Sealed Secrets”

TheDatabaseMe
27. November 20216. February 2022

Kubernetes Secrets sind ein einfacher Weg um Konfigurationen oder Parameter in Kubernetes zu speichern um sie in den Pods / Containern wiederzuverwenden. Allerdings täuscht der Name Secret, ein Secret wird nicht verschlüsselt und sicher Kubernetes abgelegt sondern lediglich kodiert. Eine dekodierung ist jederzeit möglich. Das gilt für das Manifest als auch für die Secret Ressource im Cluster. Mit Sealed Secrets können wir zumindest die Informationen im Manifest verschlüsseln um sie z.B. in einem Git Repository sicher zu speichern.